Page MenuHomePhabricator

Track and list the services that Cloud Services that connect to internal network endpoints
Open, MediumPublic

Description

Develop and maintain a manifest of what Cloud Services are actually consuming as far as internal network endpoints for future virtualization, tracking and consideration.

A jump start on this with a specific goal is T207536: Move various support services for Cloud VPS currently in prod into their own instances
Current resources include this list (which needs an update on labstores): https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron_ideal_model#supporting_services
An example config from our network management system is https://github.com/wikimedia/operations-homer-public/blob/master/templates/cr/firewall.conf#L1437

Event Timeline

Bstorm triaged this task as Medium priority.Mar 31 2020, 5:39 PM
Bstorm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2020, 5:39 PM

Right away, I see that there are services in homer that have been decommissioned.
I see:

  • labstore1001/2/3 T187456 (replaced by cloudstore1008/9, which live in the public network)
  • labsdb1004/5/6/7 T216749 T220144 (all now on VMs)

Besides that:

  • dbproxy's for the wikireplicas are changing, which might just need a labeling change in comments T231520
  • port restrictions for labstores may have changed as a result of https://gerrit.wikimedia.org/r/c/operations/puppet/+/571821, which makes the labstore1004/5 set more firmly nfsv4 than they were. We may be able to close some of those ports that are currently open.
JHedden assigned this task to Bstorm.May 5 2020, 4:49 PM
JHedden added a subscriber: JHedden.

Check if we have any netflow data from the network devices that would allow us to query src and dest traffic

ayounsi added a comment.EditedMay 6 2020, 11:29 AM

Note that we only have netflow at our borders, and we sample 1:1000 so it might not be the right tool for now.

There are several options though: